Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

ASM & Splunk integration

hi,

i have installed & configure Splunk for F5, able to get LTM self-ip, source-ip etc. logs on splunk server. So, kindly provide any document or help to integrate ASM with Splunk? does it requires iRule to be configured on ASM?

Thank You!  in advance...
1
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

All you should have to do is define your remote logging options under system and define your inputs on Splunk. The F5 will automagically send anything that is standard syslog to that remote address. For ASM/APM you can collect data using High Speed Logging (HSL) or AVR and configure the publishers/destinations for each. Configure a pool(s) that has your indexer/port defined as a member or you could even create a VIP to handle load balancing between indexers if you wanted and your AVR/HSL destination could be a pool with the VIP address as its member.

1
Comments on this Answer
Comment made 20-Apr-2016 by mortoj 147
I am currently working on getting ASM logs over to both Splunk (syslog format) and ArcSight (CEF format) I found this link useful for understanding Field/Value/Description for Splunk and ArcSight as well as for creating Custom Logging Profiles Thought I'd share: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-11-4-0/10.html
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
You won't need any iRules to log out to a Splunk server from ASM, what you will need to do is configure a Remote Logging Profile with the relevant options and assign it to your ASM Web Application. There are some sections in the relevant Configuration Guides for ASM which describe this:

For v9.4.5-9.4.8:
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm_945_config_guide/asm_sys_mgmt.html#1028448

For v10.x:
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm_config_10/asm_sys_mgmt.html#1028448

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

hello guys,

just to recap this conversation which you've started some times ago, I am getting problems in get Splunk fully functional after follow the steps part of the pdf file which came with the app's package. The field attack_type, used in many queries of the first app menu's group, is presenting, I imagine, wrong data. it is presenting graphs with symbols as commas, double quotes and single quotes. I will count on your help so as to understand whether it is a problem or not...could you give me a hand on that? Thanks a lot and looking forward to hearing from you.

Cheers, WB

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I am having the same issue. Latest splunk, latest f5 app and it fails to work as the data is in quotes?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Make sure the logging profile is using a Remote Storage Type of Reporting Server.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Here's an article that might help:

ASM Logging: https://devcentral.f5.com/articles/the-big-ip-application-security-manager-part-10-event-logging#.Uz3F5bEo7IV

I'll also take a look on my lab setup to see if I can figure out the exact details for ASM and Splunk configuration.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

So it doesn't seem possible to have all contents of /var/log/asm sent to splunk, similar to how /var/log/ltm and /var/log/audit get sent to splunk by default?

0